From 61769fd1e31b49f451dda33a36c7d5cf639698b5 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Wed, 4 Mar 2020 19:26:55 +0100 Subject: [PATCH] openssl: Don't check signature if issuer doesn't match always Doing this for the self-signed check also (i.e. if this and issuer are the same) is particularly useful if the issuer uses a different key type. Otherwise, we'd try to verify the signature with an incompatible key that would result in a log message. Fixes #3357. --- src/libstrongswan/plugins/openssl/openssl_x509.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c index 6a8f6ff086..4f8395136a 100644 --- a/src/libstrongswan/plugins/openssl/openssl_x509.c +++ b/src/libstrongswan/plugins/openssl/openssl_x509.c @@ -416,10 +416,10 @@ METHOD(certificate_t, issued_by, bool, { return FALSE; } - if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer))) - { - return FALSE; - } + } + if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer))) + { + return FALSE; } key = issuer->get_public_key(issuer); if (!key) -- 2.47.2